version: 1
metadata:
  name: Home Assistant OAuth2 Integration
entries:
  - model: authentik_providers_oauth2.oauth2provider
    id: homeassistant-provider
    identifiers:
      name: Home Assistant
    attrs:
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
      client_type: confidential
      client_id: !Format [homeassistant-%s, !Env RANDOM_ID]
      client_secret: !Format [%s, !Env RANDOM_SECRET]
      redirect_uris: |
        https://bob.nianticbooks.com/auth/external/callback
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
      sub_mode: hashed_user_id
      include_claims_in_id_token: true

  - model: authentik_core.application
    id: homeassistant-app
    identifiers:
      slug: home-assistant
    attrs:
      name: Home Assistant
      provider: !KeyOf homeassistant-provider
      launch_url: https://bob.nianticbooks.com